I would like to offer to implement a feature to reject SSL handshakes for a default certificate-key pair for efficiently discarding bot requests (i.e. such requests that provide invalid/not configured hostname or do not specify at all, like when doing request to the IP address directly).
Nginx has such feature already implemented as seen here1, and it would be beneficial if dovecot would support this too.
Currently I am using the following SSL configuration snippet to mimic such behavior:
ssl_cert = </etc/ssl/dovecot/server.crt ssl_key = </etc/ssl/dovecot/server.key
local_name flopster.at.encryp.ch { ssl_cert = </etc/ssl/domains/flopster.at.encryp.ch/fullchain ssl_key = </etc/ssl/domains/flopster.at.encryp.ch/key }
But in this case the problem is that the invalid requests (for this example it is requests that don't have Server Name Indication at all or mention anything else but not flopster.at.encryp.ch) are still being replied by Dovecot with a TLS certificate rather than being simply rejected with a TLSV1_UNRECOGNIZED_NAME error code.